Insurance relies on an ability to obtain sound actuarial data against an essentially static background of risk. The advent of the Internet and online business practices has generated a demand for cyber-insurance as businesses and individuals seek protection against cyber threats.
Existing technology infrastructure and services currently offered on computer networks are vulnerable to a wide variety of risks posed by a number of cyber threats. These threats include cyber security data and privacy breach, cyber security property damage, data and software loss, cyber extortion, distributed denial of service attacks, and various other intrusions (e.g., hacking, phishing, viruses, spam attacks etc.). As a countermeasure against the risks posed by these cyber threats, network users often depend on cyber security programs and systems including firewalls, antivirus and anti-spam software, intrusion-detection systems (IDSs), and other measures designed to reduce the likelihood of being adversely affected by cyber threats. Current efforts focus on developing and deploying tools to detect cyber threats in order to protect the cyber infrastructure and its users from the resulting negative impact of these threats.
However, in spite of improvements in risk protection resulting from advances in hardware, software, and cryptographic methodologies, providing and being able to obtain adequate and affordable coverage from cyber insurance poses a technical challenge not currently addressed by a sound technical solution. The traditional insurance framework that depends on access to sound actuarial data against a largely static risk backdrop fails when applied to the current cyber space environment. In this dynamic environment and in the absence of sound actuarial data, companies lack the ability to identify, predict, and assess the cyber security risk posed by cyber threats. The lack of visibility into the factors and parameters that impact types of cyber security risk leads to an inability to distinguish between users of different risk types (e.g., high risk versus low risk users) for different cyber threats, and an inability to effectively manage users undertaking actions that adversely affect loss probabilities after an insurance contract has been signed. The lack of understanding of the factors and parameters that impact types of cyber security risk and inability to identify actions that raise or mitigate cyber security risk also impacts a would-be insurer's ability to offer appropriate coverage against a given cyber security risk posed by a cyber threat. Prospective cyber-insurance companies are therefore hesitant to enter a market where they are unable to understand and keep up with the dynamic and constantly changing cyber space landscape. As a result, the market for cyber-insurance is unable to thrive, businesses and individuals are unable to obtain the coverage against cyber threats that they desire, and cyber coverage that is offered is not catered to a particular insurance customer's cyber security profile but is instead, tightly limited to decrease the risk to underwriters.